A … Framework for Verifying Concurrent C Programs

Document Sample
A … Framework for Verifying Concurrent C Programs Powered By Docstoc
					A … Framework for Verifying
  Concurrent C Programs


        Sagar Chaki

    Thesis Defense Talk
                    Motivation

                                         Specification
     Requirements        Specification
                                          Validation



Distributed Programs     Conformance
with Message-Passing
    Communicating           Check




                         Code
                                            Code
                       Validation

                                                         1
                  Related Work
 Model Checking
    Symbolic model checking (SMV,MURPHI,MOCHA)
    Partial order reduction (SPIN,COSPAN)

 Compositional reasoning
    Assume-guarantee

 Abstraction
    Abstract interpretation, existential abstraction

 Message-passing systems
    CCS, -Calculus
    Simulation, bisimulation, …                        2
               Iterative Refinement
                                                      Spec

  System                               Model                          Yes
              Abstraction                              Verification
Abstraction                                                           System OK
 Guidance                                             No


                   Improved                                  Counterexample
                  Abstraction
                   Guidance



              Abstraction                      No   Counterexample     Yes
              Refinement                                Valid?
                                   Spurious
                                Counterexample
                                                                             3
              Related Work
Iterative Refinement (Kurshan)
  Hardware
     Yuan Lu ) Ph.D. thesis
  SLAM (device drivers)
  BLAST (lazy abstraction, thread modular safety)
Concurrent Software
  SPIN, Behave!, ZING
     Own modeling language
     No iterative refinement
Safety properties
                                                     4
           Contributions
Compositional Iterative Refinement (IR)
  concurrent message-passing programs
  simulation conformance
Combining predicate abstraction with
 existential abstraction
Predicate Minimization
Compositional IR for Liveness properties
Compositional IR for Deadlock detection5
          Basic Concepts
Var : set of variables
Expr : expressions over Var
Store : set of stores
  Var ! Addresses
  Addresses ! Values
AP : set of atomic propositions
  Conc : AP $ Expr

                                   6
           Extended FSM
Transitions labeled with guarded
 commands
  Guards are expressions
  Command are actions or assignments

       x == 0 ? x++            true ? 



                  x != 0 ? 
                                          7
  Control Flow Graph
                         1
 x=x+y
                             x == 0 ? x++


 lib()      x != 0 ?         2

                              true ? 




Component          EFSM(lib)
                                         8
Control Flow Graph
              x=x+y


                1
                      x == 0 ? x++


 x != 0 ?             2

                       true ? 




                                     9
     Control Flow Graph
      Labeled Kripke Structure
M = ( Q , I ,  , T , AP, L)
  Q ´ non-empty set of states
  I 2 Q ´ initial state
   ´ set of actions ´ alphabet
  T µ Q £  £ Q ´ transition relation
  AP µ AP ´ set of atomic propositions
  L : Q ! 2AP ´ propositional labeling

      
          q
                         
                                      = { ,,,,, }
  p                 r          p,r
                                     AP = { p,q,r,s }
               
          p,q                                       10
     Concurrent C Program
Set of components P = hC1 ,…, Cn i

Each Ci is a single C procedure
  Possibly calling library routines
  Library routines are specified via EFSMs

Semantics of C is an LKS
  Depends on the library specificationss
                                              11
    Concrete Semantics of C
Context = (Init, EFSM, , , AP)
SCFG ´ States of CFG
ICFG ´ Initial state of CFG

MC = ( Q , I ,  [ , T , AP, L)

Q = SCFG £ Store

I = { (s,) j s = ICFG and  ² Init }

L(s,) = { p j  ² Conc(p) }            13
          Concrete Semantics
    x=1,y=-3                x=x+y               x=5,y=-5
                                                  

    x=-2,y=-3                 1                 x=0,y=-5        p
                                    x == 0 ? x++
                                                       

              x != 0 ?             2             x=1,y=-5

                                     true ?           

    x=-2,y=-3                                   x=1,y=-5
                                                           16
                       p´x=0
        Predicate Abstraction
Pred µ Expr
  Set of expressions (predicates) associated with each
   state of the CFG


Pred ¶ { Conc(p) j p 2 AP }
  Predicate corresponding to every atomic proposition
   must be associated with each state of the CFG


In practice each CFG state has a different set of
 associated predicates                          17
      Valuation : Two Views
Valuation ´ minterm Pred
Set of all valuations ´ 2Pred
Pred = { x = 0, y = 0 }
          Expression         Subset of Pred
     x   0Æy0       ,     {}
     x   =0Æy0       ,     {x = 0}
     x   0Æy=0       ,     {y = 0}
     x   =0Æy=0       ,     {x = 0, y=0}
                                              18
     Abstract Semantics of C
Context = (Init, EFSM, , , AP, Pred)
SCFG ´ States of CFG
ICFG ´ Initial state of CFG

M[C] = ( Q , I ,  [ , T , AP, L)

Q = SCFG £ 2Pred

I = { (s,v) j s = ICFG and v ° Init }

L(s,v) = { p j Conc(p) 2 v }             20
         Abstract Semantics
    x0,y=0                x=x+y                  x=0,y=0        p
                                                  

    x0,y=0                  1                    x=0,y=0        p
                                   x == 0 ? x++
                                                       

             x != 0 ?             2               X0,y=0

                                    true ?            

    x0,y=0                                       x0,y=0
                                                            23
                      p´x=0
                   Simulation
M1 = ( Q1 , I1 ,  , T1 , AP, L1)
M2 = ( Q2 , I2 ,  , T2 , AP, L2)

R µ Q1 £ Q2 is a simulation relation if
s1 R s2 )
   L1(s1) = L2(s2)
   8 (s1, , s’1) 2 T1 ¦ 9 s’2 ¦ (s2, , s’2) 2 T2 Æ s’1 R s’2


M1 4 M2 ´
    9 R µ Q1 £ Q2 ¦ 8 s1 2 I1 ¦ 9 s2 2 I2 ¦ s1 R24s2
               MC 4 M[C]

(e) ´ evaluation of e under 
 ² e ´ (e)  0

Define relation R µ QC £ Q[C]
  (s,m) R (s,v) , m ² v
R is a simulation relation
 8 s 2 IC ¦ 9 [s] 2 I[C] ¦ s R [s]   26
            Parallel Composition
M1 = ( Q1 , I1 , 1 , T1 , AP2, L1)
M2 = ( Q2 , I2 , 2 , T2 , AP1, L2)

M1||M2 =
    ( Q1 £ Q2 , I1 £ I2 , 1 [ 2 , T , AP1 [ AP2 , L)

 L(s1,s2) = L1(s1) [ L2(s2)

 ((s1, s2), , (s’1, s’2)) 2 T iff for i 2 {1,2}
      i Æ (si, , s’i) 2 Ti
      i Æ si = s’i                                   27
        Program Semantics
P       =h C           ,    C’    i

MP      =    MC        ||   MC’
 4




              4




                             4
M[P]    =    M[C]      ||   M[C’]

Abstraction is done modularly
                                       28
       Program Semantics


P      =   C     ||   C’
 4




            4




                       4
[P]    =   [C]   ||   [C’]



                              29
            Verification
 Specification is an LKS Spec
 Given P and Spec, check if P 4 Spec

1. Construct [P]
2. Check if [P] 4 Spec
  1. P 4 [P] Æ [P] 4 Spec ) P 4 Spec
  2. Otherwise …
                                       30
         Counterexample
 : ([P] 4 Spec) )
  9 CE ¦ CE 4 [P] Æ : (CE 4 Spec)
  CE has a tree structure


Look at Chapter 5 for the procedure to
 check [P] 4 Spec and construct CE if
 necessary

                                          31
  Counterexample Validation
Check if CE 4 P

: (CE 4 Spec) Æ CE 4 P
                 ) : (P 4 Spec)

  Real


P = C || C’                      32
                       Problems

                       CE 4 C || C’


                                        Statespace
     Infinite States
                                         Explosion

Symbolic Representation          Compositional Reasoning


                                                     33
                 LKS Projection
             q               
                  
                                            = { ,,,,, }
  p                     r            p,r
                                           AP = { p,q,r,s }
           p,q             

                    M

’ = { ,,z }     AP’ = { p,r,t }                  [ ’

                                                           34
                 LKS Projection
                                  
                    
                                             Å ’ [ {}
  p                       r             r
                                            AP Å AP’
            p                   

                 M ¼ { ’,AP’ }

’ = { ,,z }        AP’ = { p,r,t }            [ ’
M’ = ( …, ’ , AP’ , …) ) M ¼ M’ ´ M ¼ { ’, AP’ }
                                                           35
             Weak Simulation
M1 = ( Q1 , I1 ,  [ {  }, T1 , AP, L1)
M2 = ( Q2 , I2 ,  , T2 , AP, L2)

R µ Q1 £ Q2 is a weak simulation relation if
s1 R s2 )
   L1(s1) = L2(s2)
   8 (s1, , s’1) 2 T1 ¦ 9 s’2 ¦ (s2, , s’2) 2 T2 Æ s’1 R s’2
   8 (s1, , s’1) 2 T1 ¦ s’1 R s2

M1 - M2 ´
    9 R µ Q1 £ Q2 ¦ 8 s1 2 I1 ¦ 9 s2 2 I2 ¦ s1 R36s2
Compositional Validation

       CE 4 C || C’



          ,
 CE ¼ C - C   Æ   CE ¼ C’ - C’




                                 37
 Compositional Validation

               CE 4 C || C’



         CE ¼ - C  ,   Æ   CE ¼ - C’


     Infinite States

Symbolic Representation                38
   Symbolic Representation
MC = ( Q , I ,  , T , AP, L)

There exists a class R µ 2Q
  Each r 2 R has a finite representation
  Q 2 R
  R closed under intersection and pre-image
  Given r 2 R can check if r = ;

                                           39
        CE ¼ - C


                         


Q           (Q)               Q   (Q)

                                 

Q       Q              Q                  Q

              CE ¼ C                          40
         CE ¼ - C
    (Q) (Q)          (Q Å (Q))

                          


Q           (Q)                     Q Å (Q)

                                   

Q        Q              Q                 Q

              CE ¼ C                            41
        CE ¼ - C
                       (Q) Å (Q) Å (Q Å (Q))
                                    =;?
                          


Q           (Q)                     Q Å (Q)

                                   

Q       Q               Q                 Q

              CE ¼ C                            42
     Abstraction Refinement
Check if CE 4 P

CE 4 P ) Real

Update the set Pred such that for the new [P]
 we have :(CE 4 [P])
  Chapter 6

Minimize number of predicates to be added
  Chapter 7
                                             43
 Case Study: SSL Handshake
Verify that OpenSSL correctly implements the
 SSL handshake
  Server and client code
  Each about 2500 LOC
  400 LOC after abstracting
   away library routine calls




Analyzed client and server separately and
 together                                    44
                   SSL Results
       NAME             SRVR-CLNT   SERVER    CLIENT

   LINES OF CODE          4967       2483      2484

     NO. OF ITER           175        64        71

   AVG. MODEL SIZE        77474      8984      6747

AVG. MODEL TIME (SEC)      3.3       40.2      28.7

  SPEC SIZE (ST/TR)       6/5       32 / 67   29 / 60

 AVG. HORN VAR NUM       387375     287472    195635

AVG. HORN CLAUSE NUM     1386980    352150    238296

     VERIF TIME           13786      1636      1217

  TOTAL TIME (SEC)        21134      8639      7437

    MEMORY (MB)           1105       743       185
                                                        45
                   SSL Results
       NAME             SRVR-CLNT   SERVER    CLIENT

   LINES OF CODE          4967       2483      2484

     NO. OF ITER           175        64        71

   AVG. MODEL SIZE        77474      8984      6747

AVG. MODEL TIME (SEC)      3.3       40.2      28.7

  SPEC SIZE (ST/TR)       6/5       32 / 67   29 / 60

 AVG. HORN VAR NUM       387375     287472    195635

AVG. HORN CLAUSE NUM     1386980    352150    238296

     VERIF TIME           13786      1636      1217

  TOTAL TIME (SEC)        21134      8639      7437

    MEMORY (MB)           1105       743       185
                                                        46
                Thoughts
Predicate abstraction alone inadequate
 for concurrent systems
  States from different control locations are
   always kept distinct
  They might be merged


How do we combine other kinds of
 abstractions with predicate abstraction
                                                 47
          Iterative Refinement
                                          Spec

System                     Model
         Abstraction                       Verification
                                                          System OK
                                          No


              Improved
             Abstraction
              Guidance



         Abstraction               No   Counterexample
         Refinement                         Valid?


                                                             48
         IR ´ Model Checking
                                          Spec

System                     Model
         Abstraction                       Verification
                                                          System OK
                                          No


              Improved
             Abstraction
              Guidance



         Abstraction               No   Counterexample
         Refinement                         Valid?


                                                             49
               Verification ´ IR
                                          Spec

System                     Model            Iterative
         Abstraction
                                           Refinement
                                                         System OK
                                          No


              Improved
             Abstraction
              Guidance



         Abstraction               No   Counterexample
         Refinement                         Valid?


                                                            50
     Existential Abstraction
M = ( Q , I ,  , T , AP, L)

Equivalence R µ Q £ Q
  Compatible with propositional labeling
  s R s’ ) L(s) = L(s’)
  [s] ´ equivalence class of s


Induces a quotient LKS MR
                                            51
                                Example
        1               p               [1]
                                                           Theorem
    a       b
                                                           M ¹ MR
                                a             b

    2   d       3                   [2,3]             d
                        q

b   c       a       e       b       c         a e             Proof
                                                          (s R [s]) is a
4   5       6       7       [4,5]             [6,7]
                                                           simulation
        M                               MR                   relation
                                                                      53
              Verification
 Given [P] = [C] || [C’] and Spec
1. Use equivalence relations R and R’
   Initially R and R’ are maximal
2. Construct [P]RR’ = [C]R || [C’]R’
   [P] 4 [P]RR’
3. Check if [P]RR’ 4 Spec
  1. [P] 4 [P]RR’ Æ [P]RR’ 4 Spec ) [P] 4 Spec
  2. Otherwise …
                                          54
             Splitting R

                                   




                                         




CE ¼ [C]R    -    [C]R       4       [C] 57
             Splitting R

                           
                                   Repeated Splitting
                                            )
                                    CR converges to
                                  bisimulation quotient
                                      of C




CE ¼ [C]R    -       [C]R                        58
              Two Level IR
C1     C2       C 3 C    4
                         4        Spec    Predicate
                                         Abstraction




[C1]   [C2]     [C3]   [C4]   4   Spec




                                         Existential
                                         Abstraction


A1     A2       A3     A4     4   Spec
                                          59
                            Two Level IR
              C1     C2       C 3 C    4
                                       4        Spec    Predicate
                                                       Abstraction




              [C1]   [C2]     [C3]   [C4]   4   Spec




                                                       Existential
              A1                                       Abstraction


Existential
Refinement
              A1     A2       A3     A4     4   Spec
                                                        60
                            Two Level IR
              C1     C2       C 3 C    4
                                       4        Spec    Predicate
                                                       Abstraction




              [C1]   [C2]     [C3]   [C4]   4   Spec




                                                       Existential
              A1              A3                       Abstraction


Existential
Refinement
              A1     A2       A3     A4     4   Spec
                                                        61
                            Two Level IR
              C1     C2       C 3 C    4
                                       4        Spec    Predicate
                                                       Abstraction




              [C1]   [C2]     [C3]   [C4]   4   Spec




              A1

                                                       Existential
              A1              A3                       Abstraction


Existential
Refinement
              A1     A2       A3     A4     4   Spec
                                                        62
                            Two Level IR
              C1     C2       C 3 C    4
                                       4        Spec    Predicate
                                                       Abstraction




              [C1]   [C2]     [C3]   [C4]   4   Spec




              A1

                                                       Existential
              A1     A2       A3                       Abstraction


Existential
Refinement
              A1     A2       A3     A4     4   Spec
                                                        63
                            Two Level IR
              C1     C2       C 3 C    4
                                       4        Spec    Predicate
                                                       Abstraction

                     [C2]


              [C1]   [C2]     [C3]   [C4]   4   Spec



                     No bugs or real
              A1

                                                       Existential
              A1              A3                       Abstraction


Existential
Refinement
              A1     A2       A3     A4     4   Spec
                                                        64
                               Results
 Test         One Level              Two Level                Gain
Name
         S1       M1      T1    S2      M2       T2   T1/T2      M1/M2
SSL-1
SSL-2
SSL-3
SSL-4
SSL-5
SSL-6
SSL-7
SSL-8
SSL-9
SSL-10
SSL-11
SSL-12
                                                                     65
SSL-13
                                 Results
 Test          One Level                  Two Level                  Gain
Name
          S1       M1       T1     S2        M2        T2    T1/T2      M1/M2
SSL-1    157266 1023       886    15840     122       1081   0.82           8.39
SSL-2    201940 1070 1645         6072       64       500    3.29           16.72
SSL-3    203728 1003 1069         20172     130       1805   0.59           7.72
SSL-4    201940    640     1184   7808       69       482    2.46           9.28
SSL-5    184060    780     1355   6240       64       407    3.33           12.19
SSL-6    158898    426     695    2310       56       219    3.17           7.61
SSL-7    103566    250     447    7743       74       472    0.95           3.38
SSL-8    161580    945     1071   4617       64       387    2.77           14.77
SSL-9    214989 1475 1515         13800     106       716    2.12           13.92
SSL-10   118353    663     628    3024       60       402    1.56           11.05
SSL-11   204708   1131     794    8820       79       446    1.78           14.32
SSL-12   121170    373     303    2079       56       204    1.49           6.66
                                                                              66
SSL-13 152796      361     579    3780       60       349    1.66           6.02
                                 Results
 Test          One Level                  Two Level                  Gain
Name
          S1       M1       T1     S2        M2        T2    T1/T2      M1/M2
SSL-1    157266 1023       886    15840     122       1081   0.82           8.39
SSL-2    201940 1070 1645         6072       64       500    3.29           16.72
SSL-3    203728 1003 1069         20172     130       1805   0.59           7.72
SSL-4    201940    640     1184   7808       69       482    2.46           9.28
SSL-5    184060    780     1355   6240       64       407    3.33           12.19
SSL-6    158898    426     695    2310       56       219    3.17           7.61
SSL-7    103566    250     447    7743       74       472    0.95           3.38
SSL-8    161580    945     1071   4617       64       387    2.77           14.77
SSL-9    214989 1475 1515         13800     106       716    2.12           13.92
SSL-10   118353    663     628    3024       60       402    1.56           11.05
SSL-11   204708   1131     794    8820       79       446    1.78           14.32
SSL-12   121170    373     303    2079       56       204    1.49           6.66
                                                                              67
SSL-13 152796      361     579    3780       60       349    1.66           6.02
               Summary
Compositional IR for concurrent programs
  Message-passing communication
  Simulation conformance


Combine predicate abstraction and
 existential abstraction in a two-level
 compositional IR algorithm
  Experimental validation
                                          68
               Thank you!
Edmund Clarke
  Exemplary advisor
Alex Groce, Somesh Jha, Helmut Veith
  The original magicians
Tom Ball, Sriram Rajamani, Jakob Rehof
  Superb summer job mentors
Orna Grumberg, Joel Ouaknine, Natalia
 Sharygina, Ofer Strichman, Karen Yorav
  Awesome guides
Randal Bryant, David Garlan
  Excellent thesis committee members
                                          69
Questions?

             70